Monday 19 October 2020

WAF Options

Overview:  HTTP Traffic from users to web sites and API's need to have WAF protection.  Both Azure and AWS have good services to protect your API's and applications.  There is also the option to use a dedicated WAF Services.  When protecting large organizations with hybrid cloud providers then options like Barracuda, Imperva/Encapusla, F5 and Cloudflare are good enterprise level options.  Fundamentally, a WAF sits as an intermediary between the user and the resource they are requesting using HTTP.  I like to set my highest priority rule to DENY all HTTP & HTTPS traffic, then i specifically open the rules that i want to flow thru, a lot people do it the other way around in smaller implementations.

WAF Options:
  • Azure WAF simple in 1 region for a WAF especially with APIM and if you are an Azure customer simple got for an Azure Application Gateway with WAF enabled.  DDoS is s separate service that can be integrated before Azure WAF or Azure Firewall.  Cheaper per IP SKU option for specific IP adrs.
  • Azure Front Door WAF is pretty amazing, Cloudflare is historically the leader with similar functionality.  On Microsoft Azure the main two options for WAF are Front Door WAF (Best, most expensive) and Azure Application Gateway WAF.
  • Competitor  options: Barracuda WAF SaaS Service or Any software firewall KEMP, F5, Check Point, Fortinet/Fortigate, Cloudflare WAF, Akamai, AWS WAF, AWS Network Firewall, Cloud Armor is GCPs WAF I believe, ....  
  • Check WAF service has protection at least for DDoS, XSS, SQL injection attacks, SSL Termination if you need it, Managed RuleSets.
  • AWS WAF is for web traffic (layer 7), there is a separate AWS Shield service that is used for DDos attacks.  AFS can be applied at a Application Load Balancer, Amazons API Gateway, and Amazon CloudFront.  With AWS WAF you also get Shield (standard free).  Shield adds advanced features and the standard version that is always included by default with AWS WAF has monitoring and DDoS protection.
  • Barracuda WAF is a SaaS Service that has worked fairly well for me.  Has a fair amount of options and rules.  Has add-ons like anti-virus scanning.
  • Imperva WAF was previously called Incapsula WAF, that provides a SaaS WAF service including Smart DDoS (block dodgy traffic and passes thru good requests), API Security, SQL injections, Xss.  Multiple data centers around the world.
  • Cloudflare is a Secure access service edge (SASE).  Cloudflare provides a WAF service at hundreds of endpoints around the globe (for instance there are 5 Cloudflare endpoints in Australia).  WAF functionality like SSL, DDoS (L7), customer rule e.g. rate limiting, OWASP rules applied, "api protection", et al. is done close to the user request (nice low latency) and then if successful it is pushed to the backend.

 

Last Updated: 2022-03-15

Posted by Paul Beck at 07:59 0 comments
Labels: , , , , , , , ,

Friday 9 October 2020

App Insights - Website and API Monitoring

Overview:  App Insights has functionality to run scheduled web requests and log the output in App Insights.  There are multiple advantages to this including end to end active monitoring of web sites and API's, and keeping the application warm.

Below I show a simple request to my blog (public website) and the results, Azure refers to this test type as a URL Ping test which is basically a URL HTTP GET request.  


Wait a few minutes and Refresh to see the results:

Very easy way to include a constant check that your API or Website is running.  There is also the options to create "Multi-step web test" using Visual Studio.  You can record the authentication and assert for known response content to build advanced constant monitoring.

Tip: The URL does need to be publicly available.

The content I used to test out the functionality comes from the Microsoft Docs site.
Also see Live Metric Stream that is part of App Insights.

Monitoring using Azure Monitor Dashboards:
  • The image above shows a dashboard that can be used to monitor a SaaS applications PaaS Infrastructure.
  • It's a good idea to create multiple dashboards and they can show the overview and allow the user to drill into specific areas.
  • Internal boards watching key API's, HTTP uptime ping type requests is also a good idea.

Updated: 11 Jan 2023 - Checkly looks like a great monitoring service that works with Playwright for continuous monitoring.  I like to keep all my SaaS on Azure, but Checkly is independent an as it is monitoring.

More Info: 
App Insights MultiStep Tests  Replacement Option for MultiStep Test based on Azure Functions
Posted by Paul Beck at 09:02 0 comments
Labels: , , ,

Thursday 1 October 2020

App Insights - Basic Introduction

OverviewAzure App Insights is a great platform for collecting logs and monitoring cloud based applications on Azure.  All Azure Services can push logging information into App Insight instances.  This can be errors, usages, performances logging that in turn is easy to query.  There are SDKs for developers that can be used to add custom logging to applications.  I am a big fan of AppDynamics for logging and monitoring but for SaaS and on a new project I'd go with App Insights.

Retention:  App Insights can keep 730 days worth of logs.  For long term storage, "Continuous Export" can be used to push data into storage accounts as soon as it arrives in AppInsights.  Retaining the App Insight logs for 90 days has no additional cost, so the default to store logs should be set to 90 days at least in most situations.

What is logged and what can be logged:  
  • All Azure Services can be configured to send service logs to a specific App Insight instance.
  • Instrument packages can be added to services to capture logs such as IIS, or background services.  You can pull in telemetry from infrastructure into App insights e.g. Docker logs, system events.
  • Custom code can also call the App Insight instance to add logging and hook into exceptions handling.  There are .NET, Node.JS, Python and other SDK's that should e used to add logging, exception capturing, performance and usage statistics.

App Insights has a REST API to query the logs.  The "API Explorer" tool is awesome for querying App Insights online.  


The data below comes from Microsoft Docs.

"What kinds of data are collected?

The main categories are:

  • Web server telemetry - HTTP requests. Uri, time taken to process the request, response code, client IP address. Session id.
  • Web pages - Page, user and session counts. Page load times. Exceptions. Ajax calls.
  • Performance counters - Memory, CPU, IO, Network occupancy.
  • Client and server context - OS, locale, device type, browser, screen resolution.
  • Exceptions and crashes - stack dumps, build id, CPU type.
  • Dependencies - calls to external services such as REST, SQL, AJAX. URI or connection string, duration, success, command.
  • Availability tests - duration of test and steps, responses.
  • Trace logs and custom telemetry - anything you code into your logs or telemetry."
App Insights creates a hierarchy of requests built up from the operationId, and operation_parentId.

Application Insights is part of Azure Monitor and makes it easy to trace user interaction.  Independent infrastructure for recording issues and tracing.   App Insights in 3 parts. 
  • Collect: Track infra/PaaS via instrumentation (throughput, speed, response times, failure rates, exceptions etc.), and via SDK (e.g. JavaScript SDK, C#) to add custom logging and tracing.  Blue boxes
  • Store: Stores the data.  Purple Box
  • Insights: Alerts, PowerBI, live metrics, REST API.  Green Box
Extending App Insights:
For long running operations like using queues or ESB you will need to tie the operations together, and it's really easy to connect this in a hierarchy using distributed tracing.  

SPA's:  There is a JavaScript SDK but logging on SPA's needs configuration and understanding as not every operation is logged uniquely for tracing.

Smart Detection: automatically tries to quickly warn you of problems/abnormalities and there root cause.

Snapshot Debugger/profiler: VS remote debugging can be hooked to an issue.  Shows execution traces from your live app.

Transaction Search:  Easy way to query and find data or unique info.


Posted by Paul Beck at 12:40 0 comments
Labels: , ,

Tuesday 29 September 2020

Secure APIM using AAD B2C

Overview:  I have never connected AAD B2C to APIM myself, other on my project teams havde done it so I went thru it and it was super easy.

Followed the instructions: 

https://docs.microsoft.com/en-us/azure/active-directory-b2c/secure-api-management?tabs=applications-legacy

Postman to validate:


PB APIM Series:
Secure APIM with AAD B2C
Developer Portal - Example documenting your API within YAML


Posted by Paul Beck at 13:46 0 comments
Labels: , ,

Sunday 13 September 2020

Building better Software Thoughts

Overview:  I see a lot of development teams, and they always seem to have areas they are good at and capabilities teams need improvement on.  Key is culture and building a happy team where team members trust and help one another.

Building a culture where teams enjoy code reviews is also key for successful Software projects.   To improve software, reviewing various areas not only code reviews are essential.  For me, clear requirements are the number 1 factor in improving teams performance.  

Companies are getting better at building software; I aim to work on these topics to improve the delivery of software within scrum teams:

  1. Code Reviews & Peer Reviews (Daily reviews are awesome, should be pretty short and enjoyable not someone trying to show off or hours long)
  2. Collaboration (Standups, Slack/Teams, Code tools have collaboration built in)
  3. Documentation & Requirements Reviews
  4. Better tooling including better CI/CD tooling including static analysis tools
  5. Unit Testing, automate coding standards, Integration testing, UI Testing, and API testing 
  6. Requirements (Use Stories are clear and Acceptance Criteria)
  7. Cadence is improving thanks predominately to Agile practices; I like short release cycles (2-3 weeks depending on the team and industry).  Changing requirements, indecision kills software projects.  Agile helps, but decisive knowledgeable product owners increase the likelihood of the project succeeding.

Benefits of Code, Documentation and Requirement Reviews:

  1. Improved software quality & product delivery
  2. Share domain knowledge
  3. Training team members (useful for onboarding new team members)
  4. Reduce support and fix costs
  5. Lower cost & faster development

Posted by Paul Beck at 19:59 0 comments
Labels:

Options Layering API's on Data Sources - Micrososervices kind of

Hasura takes data sources such as SQL, Postgress & MySQL and converts it into GraphQL API's.  SQL Server is in preview.  Service is available on Azure and hooks into AAD and AAD B2C.  Hasuru looks extremely interesting and useful.  Potentially a great time saver.

CDS/DataFelx/Oakdale - Allows for Entity creation and provides REST API's.

SharePoint lists provide HTTP API's for CRUD operations.

REST API's vs GraphQL

OpenAPI specification (previously known as the Swagger specification) is my default for an API, this allows for a known RESTful API that anyone with access can use.   Open API has set contracts that returned defined objects which is great, you can work with the API like a database with simple CRUD operations as defined by the specification.  The issue is that the returned objects are fixed in structure so you may need 2 or more queries to get the data you are looking for.  Alternatively, GrapghQL allows the developer to ask for the data exactly as the want it.
Open API example:
/api/user/{2} returns the user object  // Get the user object for user 2
/api/users/{2}/orders/10  // Returns the last 10 orders for the user
GraphQL example:
Post a single HTTP request.
query {
 User(id: "") {
    name
    email
    orders(last: 10 {
      orderid
      totalamount
      datemodified
    }
 }

Database Option Notes:
PostgreSQL - Hybrid relation database (Communitity edition free, standard and enterprise higher loads) sits on Linex but can also use Windows OS.  Replicas are used for additional read-only nodes (I think up to 5 geo relicas allowed) 
Can be hosted on Azure or AWS IaaS.  PostgreSQL is also offered as a fully managed service (PaaS) on Azure (either single server or hyperscale).
MariaDB community fork off MySQL - Open source relation database used in the LAMP app stack.  Azure MySQL manage service can have up to 5 replicas for read heavy workloads.

Posted by Paul Beck at 17:00 0 comments
Labels: , , , , , ,

Sunday 6 September 2020

Working with CDS data structures for non CRM types

Overview:  I am working on a Power Platform solution and I need to use CDS.  Basically, I need to be able to see and edit values within CDS.

Option 1: Microsoft SQL Server Management Studio (SSMS) version 18.6 allows connectivity and read-only access.  Here are the instructions.

Option 2XrmToolBox has fantastic tools for Dynamics and Power Apps.  There are a lot of individual tools from various contributors.

Here I am using "Entity Relationship Diagram Creator" to look at the relationships between the CDS entities.




Posted by Paul Beck at 15:52 0 comments
Labels: , ,
Subscribe to: Posts (Atom)